CYBER SECURITY & ITS IMPACT ON

FINANCIAL STATEMENTS AUDITS

BOB WAGNER
TUESDAY, NOVEMBER 10 2015
FLORIDA SCHOOL FINANCE OFFICERS ASSOCIATION CONFERENCE
CORPORATE BOARDS RACE TO SHORE UP CYBERSECURITY
Wall Street Journal June 29, 2014
 CHINA’S HACKERS
ACCUSED OF A
SPYING CAMPAIGN
Wall Street Journal April 13, 2015
WSJ, 2015
WHO IS THIS GUY?

• CTO For Tupperware Brands Past 14 years

• Previous Technology Consultant for Ernst & Young
• Developed Cyber Security Program for Tupperware Brands
• Sox & Audit Compliance Experience
• MBA-UCF
WHY SHOULD WE CARE ABOUT CYBER SECURITY?
• Because a CS breach can impact your financial statements
• Financial impact depends on many factors
• Target pay load compromised (e.g. credit cards or social security numbers)
• Length of intrusion and theft
• Intent of hackers
• Disruption or Destruction
• Political
• Environmental
• Anonymous
WHY SHOULD WE CARE ABOUT CYBER SECURITY?

• Ransom Ware
• Direct Dollar Impact
• How much & how often
IMPACT OF THE CYBER SECURITY BREACH

• For some companies, it could be a going out of business situation

• Significant dollar expenditures to remedy situation
• Loss of client confidence
• Legal fees & lawsuits
• Media humiliation

• Employee attrition
 WHAT CAN YOU DO TO GET STARTED?
Begin with the Basics
• Keep up with software patches • Evaluate third party vendors access
• Close your online doors (within reason) • Target hit through heating/ac vendor
equipment
• Encrypt data when it makes sense
• ISO 27001
• Cost
• Family of standards to help secure data
• Speed
• Includes people, processes, and IT systems
• Consider new password methods
• Finger prints
• Change password policy; 10 vs 5

Source WSJ
FRAMEWORK FOR IMPROVING CYBER SECURITY

National Institute of Standards and Technology (NIST)

5 Core Functions
1. Identify
2. Protect
3. Detect
4. Respond
5. Recover
IMPACT OF A CYBER SECURITY BREACH

Two main areas of CS oversight

• Risk Management
• Security is not just an IT issue
• Senior Management needs to drive the effort
• CS is one element of overall company risk
• Don’t fret about the technical aspects!
• Cyber liability insurance
• Employee security education
IMPACT OF A CYBER SECURITY BREACH

• Response Management or Crisis Management

• Who wants to talk to the Chanel 9 reporter?
• Who put us in “the Cloud”
• Response Team (C-level, legal, IT, HR, PR)
• Have a documented Response Plan
SUMMARY

• In short, this is a nightmare in your future

• You could spend millions and still not be 100% protected
• This is the new “Cost of doing Business”
• A breach could significantly damage the financial health of any company
• Recommendation is to take steps NOW to show due diligence in this area
AUDIT & BUSINESS RISK OF IT
BOB WAGNER
TUESDAY, NOVEMBER 10, 2015
AUDIT & BUSINESS RISK OF IT
• Our business depends on technology working everyday
• Technology is growing more complicated
• More devices attached
• “Internet of Everything”
• Millions of lines of code
• Internal associates and clients, are increasingly demanding
• Access from any place, any time, any device
• This all adds to risk- lots of moving parts
• IT holds the keys to the kingdom
• Heavily dependent on a strong IT team to keep business going
• Risk element of IT employee who goes bad
• Risk of outsourcing
AUDIT & BUSINESS RISK OF IT

• If email is down business is down

• If clients can’t place orders the cash cycle stops
• If distribution software is slow trucks are backed up at dock
• If the local server is down We can not deliver the promised proposal to clients
So…

OUR BUSINESS CAN NEVER BE DOWN!

HOW TO MITIGATE RISK?

• Senior Management involvement and understanding; not just an IT function

• What level of engagement do they have?
• This is the red flag you are looking for
• Each company should have an overall risk assessment
• IT can be one of the larger risks (both business & audit)
• Review IT Policies
• Look for lax policies or no policies
• Each company should have a risk team that sets policies
• Segregation of duties is huge, but many companies are too small, so…
• One IT person can cause lots of problems
HOW TO MITIGATE RISK?
• Companies are trying to do too many IT things at the same time
• The business can’t digest all of it
• Money is wasted on failed projects
• IT is typically not the stumbling block
• Even if business folks think they are

• Consideration should be given to forming an IT Steering Committee

• Made up of mostly business executives & the top IT person
• Look for regular meetings
• Monthly or quarterly
• Minutes taken with decisions reached
• Do they communicate the decisions?

In short, companies need to ensure the processes are in place to mitigate IT business risk